Pbr on 2811 not working.... access-list issue

Thought this would be pretty simple but am failing here with the basics. Trying to policy route internet traffic from a particular host (10.3.201.1) via a dedicated internet link rather than via the corporate wan. The access-list I am using for the route map just doesn't get any matches. Other access-lists I have placed on the 2811 do not accumulate matches either so I am guessing this is the cause. A show ip int g0/1.3 tells me pbr is enabled on the interface using my route-map. Any clues most welcome.

Share:

Replies

If you traceroute to an internet host, what path does it show? Can you get out? You are testing from the 10.3.201.1 device, correct? You can check which way you are going out by using a website like ipchicken.com.

Yeah this should be so simple it's really winding me up! I think I might be up late as well..... Have just started tinkering more with the ACls. This one for example isn't applied to anything but I shoulod still see matches right? I have a persistent ping happening to 8.8.8.8 from the 10.3.201.1 host. Still no matches. It seems that no acl on this router gets a match!

I'm going to go out on a limb here, but is the host that you're pinging from addressed as 10.3.201.1 on the WAN side? If not, you'll need to source your ping in order for your PBR to work. For example:

WAN side:

192.168.3.1/24

LAN side:

10.3.201.1

If you're pinging from the above with just standard pings, the wan address will be used as the source and will never match your policy. If that's the case, try "ping 8.8.8.8 source 10.3.201.1"

John..... the ping is coming from the 10.3.201.1 host. It is on the LAN side. The g0/1 interface has 6 sub interfaces servicing the 6 vlans on this site. The next hop for the route map is on one of the vlans. Other traffic exits via g0/0 into the corp wan.

I have created a few other test Acls and none of them get matches regardless of the host, vlan or traffic type. Confused!

Couldn't find any bug info but just upgraded from c1900-universalk9-mz.SPA.152-2.T to c1900-universalk9-mz.SPA.152-3.T (it was a 1921 BTW!) and everything dropped into place. The image i replaced is still available for download!